Submission Details
Severity:
Wrong Merkle root is used in deploy script which leads to airdrop contract being set with wrong amount to claim.
Summary
Merkle root is not generated correctly and it is being used in deploy script which will set wrong amount to claim.
Vulnerability Details
In Deploy.s.sol script merkle root is being set with wrong value.
contract Deploy is Script {
address public s_zkSyncUSDC = 0x1D17CbCf0D6d143135be902365d2e5E2a16538d4;
// @audit - wrong merkle root
@> bytes32 public s_merkleRoot = 0xf69aaa25bd4dd10deb2ccd8235266f7cc815f6e9d539e9f4d47cae16e0c36a05;
.
.
This is because wrong number of decimals is used in makeMerkle.js script. USDC on zkSync has 6 decimals instead of 18 decimals.
/*//////////////////////////////////////////////////////////////
INPUTS
//////////////////////////////////////////////////////////////*/
// @audit - wrong numbers of decimals
@> const amount = (25 * 1e18).toString()
const userToGetProofOf = "0x20F41376c713072937eb02Be70ee1eD0D639966C"
.
.
Impact
Users won't be able claim intended amount of 25 USDC.
Tools Used
Manual review
Recommendations
Claim amount needs to have 6 decimals instead of 18 decimals.
/*//////////////////////////////////////////////////////////////
INPUTS
//////////////////////////////////////////////////////////////*/
// @audit - wrong numbers of decimals
- const amount = (25 * 1e18).toString()
+ const amount = (25 * 1e6).toString()
const userToGetProofOf = "0x20F41376c713072937eb02Be70ee1eD0D639966C"
.
.
Updates
Lead Judging Commences
inallhonesty over 1 year ago
Submission Judgement Published Assigned finding tags:
wrong-usdc-decimals-in-merkle
Rewards breakdown
nSLOC
62This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.